Re: fanotify as syscalls

From: Jamie Lokier
Date: Mon Sep 21 2009 - 19:56:40 EST

Next message: Benjamin Herrenschmidt: "Re: [PATCH 1/3] slqb: Do not use DEFINE_PER_CPU for per-node data"
Previous message: Peter Williams: "Re: sched: Am I missing something?"
In reply to: Andreas Gruenbacher: "Re: fanotify as syscalls"
Next in thread: Davide Libenzi: "Re: fanotify as syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andreas Gruenbacher wrote:
> If the antimalware vendors want to base their decisions on pathnames then
> that's their decision, and they can check /proc/self/fd/N.

Race hazards and loopholes. It doesn't work.

> Waiting for your code to demonstrate; an object based cache (e.g.,
> st_dev + st_ino) rather than a pathname based cache would seem more
> reasonable.

Nearly everything that people do with files involves paths. The point
is to cache what people (or their programs) do. Apache does not
consult inodes by number, and rsync does not write inodes by number :-)
Yes, to the code...

> > > but I see no need for access decisions on them.
> >
> > Please excuse me; I'm a bit confused. Is fanotify intended just for
> > use by access decision programs, or is the plan now for it to also be
> > a replacement for inotify? I'm getting conflicting signals about
> > that.
>
> Inotify doesn't support access decisions. So where's the problem with
> having "notify only" events for directory / mount / unmount events?

No problem here.

You seemed to be saying you want to add directory events to fanotify.
But if fanotify is only intended for access decisions? Something I
must have misunderstood in that.

> > If it's just for access decision programs, and if those aren't going
> > to care about location, then there's no need to add directory events
> > to fanotify at all. But then I'll be demanding subtree support in
> > inotify, please :-)
> >
> > > Even less so for mounts and unmounts.
> >
> > (as root) mkdir foo; mount dodgy foo -oloop; mount --bind foo/cat
> > /bin/cat
>
> ... and then someone accesses /bin/cat, which triggers a fanotify access
> decision.

That's fine as long as there was no location-awareness in the logic
which checked foo/innocent.txt and set that inode's "read-ok,cache-me" bit.

Mount only matters if you're sensitive to location. If you think
location-independent checks make good anti-malware
I_have_a_bridge_to_sell^H^H^H^H^H^H^H^H^H^H^Hfine with me :-)

-- Jamie
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Benjamin Herrenschmidt: "Re: [PATCH 1/3] slqb: Do not use DEFINE_PER_CPU for per-node data"
Previous message: Peter Williams: "Re: sched: Am I missing something?"
In reply to: Andreas Gruenbacher: "Re: fanotify as syscalls"
Next in thread: Davide Libenzi: "Re: fanotify as syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]